Red Hat included IPA-server (FreeIPA) with RHEL6.1 release. FreeIPA is an integrated security information management solution, like Microsoft Active Directory, combining 389 (LDAP server), MIT Kerberos, NTP, DNS. It consists of a web interface and command-line administration tools, so management can be done either with web browser or from command-line. It’s quite easy to implement FreeIPA on Windows/Linux-environment and i’ll show here how you can install, configure and use IPA without any deeper knowledge about Linux.
First step: Install
In my example I have already installed RHEL6.2, but you can use also CentOS or Fedora. I installed RHEL with minimal installation, upgraded all packages and then installed all packages for FreeIPA:
[root@x1 ~]# yum install ipa-* bind bind-chroot bind-dyndb-ldap
This will install all FreeIPA-packages and bind (nameserver) with chroot-option. It will take while, for example in my demo lab it installed 262 packages totally. So run install and relax with cup of coffee while waiting.
After installation completes, we need to check that ipa-servers hostname is set correctly:
[root@x1 ~]# cat /etc/hosts 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 172.16.16.16 x1.demo.konehuone.fi x1
[root@x1 ~]# hostnamex1.demo.konehuone.fi
Check that there is line with your servers FQDN, shortname and correct IP-address. If name/ip is not correct, you need to fix them before next step.
Second step: Configure FreeIPA
Now it is time to install and configure FreeIPA. This is really simple:
[root@x1 ~]# ipa-server-install --setup-dns
Installer will ask server host name, domain name and kerberos realm name. Accept default settings if you do not want to change them, you might want to change kerberos realm to short name (Like, DEMO in my example) if you want. You need to write also password for LDAP Directory Manager account and FreeIPA admin-user account, for best practise use different password for accounts.
By default installer will also setup DNS forwarder and reverse zones for you. It will ask IP of your forwared and will automatically create reverse zone for that network. After this installer will configure all necessary services (This might take while also).
Last phase here is to check that necessary firewall ports are opened, below is example from my iptables-configuration:
[root@x1 ~]# cat /etc/sysconfig/iptables # Firewall configuration written by system-config-firewall # Manual customization of this file is not recommended. *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 389 -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 636 -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 88 -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 464 -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 53 -j ACCEPT -A INPUT -m state --state NEW -m udp -p udp --dport 88 -j ACCEPT -A INPUT -m state --state NEW -m udp -p udp --dport 464 -j ACCEPT -A INPUT -m state --state NEW -m udp -p udp --dport 53 -j ACCEPT -A INPUT -m state --state NEW -m udp -p udp --dport 123 -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j REJECT --reject-with icmp-host-prohibited COMMIT
You could also combine ports to one line, but I like to have one line per port. After configuration you can test that everything is working just like it should:
[root@x1 etc]# kinit admin Password for admin@DEMO.KONEHUONE.FI: [root@x1 etc]# ipa user-find admin -------------- 1 user matched -------------- User login: admin Last name: Administrator Home directory: /home/admin Login shell: /bin/bash UID: 805800000 GID: 805800000 Account disabled: False Keytab: True Password: True ---------------------------- Number of entries returned 1 ----------------------------
If you can find admin user your FreeIPA-server is now configured and running fine.
Third step: Configure your Windows/Linux machines to authenticate with IPA
Adding Windows-clients to IPA includes bit more tasks than Linux-clients so we’ll start with Windows one.
Before we add any clients to IPA we need to create user account for user. In my example I will use cli-way, but you could do it from web-ui also:
[root@x1 log]# ipa user-add First name: Ipa Last name: Test User login [itest]: ipatest -------------------- Added user "ipatest" -------------------- User login: ipatest First name: Ipa Last name: Test Full name: Ipa Test Display name: Ipa Test Initials: IT Home directory: /home/ipatest GECOS field: Ipa Test Login shell: /bin/sh Kerberos principal: ipatest@DEMO.KONEHUONE.FI UID: 805800004 GID: 805800004 Keytab: False Password: False
Next we need to reset ipatest-users password:
[root@x1 log]# ipa passwd ipatest New Password: Enter New Password again to verify: ------------------------------------------------ Changed password for "ipatest@DEMO.KONEHUONE.FI" ------------------------------------------------
Next we need to create also account for client machine. In this example we will add first dns-record for the machine called winxp and then add host-entry to IPA and give host initial password used when connecting host to IPA:
[root@x1 log]# ipa dnsrecord-add Zone name: demo.konehuone.fi Record name: winxp [A record]: 172.16.16.17 [AAAA record]: Record name: winxp A record: 172.16.16.17
[root@x1 log]# ipa host-add Host name: winxp.demo.konehuone.fi ------------------------------------ Added host "winxp.demo.konehuone.fi" ------------------------------------ Host name: winxp.demo.konehuone.fi Principal name: host/winxp.demo.konehuone.fi@DEMO.KONEHUONE.FI Keytab: False Password: False Managed by: winxp.demo.konehuone.fi
[root@x1 log]# ipa-getkeytab -s x1.demo.konehuone.fi -p host/winxp.demo.konehuone.fi -e arcfour-hmac -k krb5.keytab.winxp.demo.konehuone.fi -P
New Principal Password: Verify Principal Password: Keytab successfully retrieved and stored in: krb5.keytab.winxp.demo.konehuone.fi
After this we configure host to use IPA-server. Currently there’s one problem with Windows authentication. You need to have local user where kerberos users are mapped. However local user can be locked, so you cannot log on with them directly but via kerbers-authentication. In my example I’ll use XP machine, and because of that we need to download additional tools and install whole package to get ksetup-tool.
In my example I didn’t create any local users, I just mapped everything to guest-user:
ksetup /mapuser * guestFinal task is reboot the machine and after it you should be able to logon using kerberos acount, in my example ipatest@DEMO.KONEHUONE.FI
Final words
You can do much more with IPA. I will write another post how you can extend usage of your IPA. I think that FreeIPA is really good implementation for any company wanting to avoid usage of Microsoft Active Directory.
Designed for HA 
Hi,
tnx for update documents for IPA
I hv configured ipa server as per your docs & client winxp is showing into domain but sitll
user is not able to login.
Yogesh
LikeLike